Community discussions

 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Extend dynamic VLANs to Wireless 802.1x

Thu Oct 03, 2019 3:55 am

Wired - MT RB2011 ( ROS 6.45.6 )with dynamic vlans (50,60,70) dot1x with Radius Auth
Wireless - MT hAP ac^2 on Ether 5 of MT RB2011 as wireless capsman

How can I extend my dynamic vlans to my wireless clients or can I through Radius Auth or can I?
I have made some attempts with different configs but with no success.

Goal is to have wireless client authenticate against radius server via single AP (SSID) then get assigned vlan dynamically based on Tunnel-pvt-group response from Radius server.

I can get the response back from the radius server for the wireless clients with the required vlan information for the MT hAP ac^2, but corresponding vlan dhcp server is not assigning IP based on vlan id... not sure; or if can do this at all?
 
andriys
Forum Guru
Forum Guru
Posts: 1179
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Extend dynamic VLANs to Wireless 802.1x

Thu Oct 03, 2019 1:07 pm

Isn't this what you are looking for: Wireless / VLAN tagging?
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Extend dynamic VLANs to Wireless 802.1x

Fri Oct 04, 2019 9:41 am

I can get wireless vlans working if I choose 'use tag' and add vlan id per wifi interface.
But not able to get dynamic wireless vlans working from a singular SSID where the vlan id sent to the dhcp server in the response from radius server and then assigned IP by matching dhcp vlan server

My Mikrotik wireless device that handles the radius request and response sits behind the wan facing primary mikrotik router that assigns all the ip addresses via its dhcp server.

So not sure if how I am trying is the correct way. Maybe the radius response needs to go the primary mikrotik router that is handing out the ip addresses, but that router has no wireless capabilities so how to tell the wireless mikrotik router to forward the radius response to the primary mirkotik router for DCHP assignment..?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1396
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Extend dynamic VLANs to Wireless 802.1x

Fri Oct 04, 2019 11:17 pm

The DHCP service must do the radius request
MTCNA, MTCTCE, MTCRE & MTCINE
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Extend dynamic VLANs to Wireless 802.1x

Sat Oct 05, 2019 2:56 am

ehhh wrong!!

NM all, I figured this one out surprisingly.. hit me up if you want to know my tricks!

No, I did not use the DHCP server (service) to handle the Radius request.. cheers

My Setup:

Radius = Windows Server NPS+AD
MT RB2011 (no wireless) (ROS 6.45.6)
MT hAP ac^2 (ROS 6.45.6)
MT RBcAPGi-5acD2nD (ROS 6.45.6)
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Extend dynamic VLANs to Wireless 802.1x

Tue Oct 08, 2019 3:19 am

Okay, the how...

ROS (6.45.6)

MT RB2011 (NO WIFI):
MT RB2011 (WAN facing) is radius client for 'ppp (VPN)' and 'dot1x (Ether)' NPS (Windows 2012 Server)
vlan trunk configured (vlan ids 7,8,9) MT RB2011 is the DHCP server for all.
Bridge vlan filtering enabled - Yes..

Three dhcp servers running on RB2011 one for each vlan interface etc.. Again no dhcp server is configured for radius, also I am NOT using dhcp checkbox in radius client configuration
dhcp-vlan7
dhcp-vlan8
dhcp-vlan9


MT hAP ac^2 (MT wifi router (2.4/5))
LAN facing radius client for 'wireless' only to NPS (Windows 2012 Server)
This one is hard wired into ether 7 of the RB2011 router
No dhcp servers are configured on MT hAP ac^2
3 vlans setup (vlan ids 7,8,9) (All ports bridged with vlan filtering enabled - Yes..
one wireless AP setup to use tag of master vlan id 1
3 virtual wireless bridges setup to use tag of 7,8,9...
wifi-vlan-7
wifi-vlan-8
wifi-vlan-9

So now.. when the user connects to the wifi-ap-bridge; the MT hAP ac^2 sends a wireless radius request to the NPS radius server..
The NPS radius server sends a response back to the MT hAP ac^2 with the access aproval and vlan id assigment attribute..
With the returned attribute the user connects to the corresponding wifi-bridge; at which point a dhcp broadcast is sent from the
authenticated client device; this dhcp request is passed ONTO the MT RB2011 since no dhcp server is configured on MT hAP ac^2
and there is a link between the two MT routers. The client device is authorized so the MT RB2011 gives out an IP address from the vlan-dhcp-server based on the
client connections vlan id.. and that is about it... so as we can now see; you do not need to use dhcp in your radius config
to get a dhcp assignment from a radius request and response... sound about right

Who is online

Users browsing this forum: MSN [Bot] and 10 guests